From c260242659dbb4c208e8e63efc3721209d01f065 Mon Sep 17 00:00:00 2001 From: nico Date: Sun, 4 Apr 2010 12:47:52 +0000 Subject: [PATCH] [backfire] netfilter: backport r20690, r20693 & r20694 git-svn-id: svn://svn.openwrt.org/openwrt/branches/backfire@20695 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- include/netfilter.mk | 78 ++++++++-------- package/kernel/modules/netfilter.mk | 137 +++++++++------------------- 2 files changed, 85 insertions(+), 130 deletions(-) diff --git a/include/netfilter.mk b/include/netfilter.mk index 838029e2e..76b641724 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -1,5 +1,5 @@ # -# Copyright (C) 2006-2008 OpenWrt.org +# Copyright (C) 2006-2010 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -29,41 +29,6 @@ $(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_IP_NF_IPTABLES, $(P_V4)ip_t $(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_IP_NF_FILTER, $(P_V4)iptable_filter),)) $(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_IP_NF_MANGLE, $(P_V4)iptable_mangle),)) -# -# ebtables -# - -$(eval $(if $(NF_KMOD),$(call nf_add,EBTABLES,CONFIG_BRIDGE_NF_EBTABLES, $(P_EBT)ebtables),)) - -# ebtables: tables -$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_BROUTE, $(P_EBT)ebtable_broute)) -$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_T_FILTER, $(P_EBT)ebtable_filter)) -$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_T_NAT, $(P_EBT)ebtable_nat)) - -# ebtables: matches -$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_802_3, $(P_EBT)ebt_802_3)) -$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_AMONG, $(P_EBT)ebt_among)) -$(eval $(call nf_add,EBTABLES_IP4,CONFIG_BRIDGE_EBT_ARP, $(P_EBT)ebt_arp)) -$(eval $(call nf_add,EBTABLES_IP4,CONFIG_BRIDGE_EBT_IP, $(P_EBT)ebt_ip)) -$(eval $(call nf_add,EBTABLES_IP6,CONFIG_BRIDGE_EBT_IP6, $(P_EBT)ebt_ip6)) -$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_LIMIT, $(P_EBT)ebt_limit)) -$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_MARK, $(P_EBT)ebt_mark_m)) -$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_PKTTYPE, $(P_EBT)ebt_pkttype)) -$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_STP, $(P_EBT)ebt_stp)) -$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_VLAN, $(P_EBT)ebt_vlan)) - -# targets -$(eval $(call nf_add,EBTABLES_IP4,CONFIG_BRIDGE_EBT_ARPREPLY, $(P_EBT)ebt_arpreply)) -$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_MARK_T, $(P_EBT)ebt_mark)) -$(eval $(call nf_add,EBTABLES_IP4,CONFIG_BRIDGE_EBT_DNAT, $(P_EBT)ebt_dnat)) -$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_REDIRECT, $(P_EBT)ebt_redirect)) -$(eval $(call nf_add,EBTABLES_IP4,CONFIG_BRIDGE_EBT_SNAT, $(P_EBT)ebt_snat)) - -# watchers -$(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_LOG, $(P_EBT)ebt_log)) -$(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_ULOG, $(P_EBT)ebt_ulog)) -$(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_NFLOG, $(P_EBT)ebt_nflog)) - # userland only $(eval $(if $(NF_KMOD),,$(call nf_add,IPT_CORE,CONFIG_IP_NF_IPTABLES, xt_standard ipt_icmp xt_tcp xt_udp xt_comment))) @@ -120,10 +85,11 @@ $(eval $(call nf_add,IPT_CONNTRACK_EXTRA,CONFIG_NETFILTER_XT_TARGET_CONNMARK, $( $(eval $(call nf_add,IPT_EXTRA,CONFIG_IP_NF_MATCH_CONDITION, $(P_V4)ipt_condition)) $(eval $(call nf_add,IPT_EXTRA,CONFIG_IP_NF_MATCH_OWNER, $(P_V4)ipt_owner)) +$(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_OWNER, $(P_XT)xt_owner)) $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_PHYSDEV, $(P_XT)xt_physdev)) $(eval $(call nf_add,IPT_EXTRA,CONFIG_IP_NF_MATCH_PKTTYPE, $(P_V4)ipt_pkttype)) $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_PKTTYPE, $(P_XT)xt_pkttype)) -#$(eval $(call nf_add,IPT_EXTRA,CONFIG_IP_NF_MATCH_QUOTA, $(P_V4)ipt_quota)) +$(eval $(call nf_add,IPT_EXTRA,CONFIG_IP_NF_MATCH_QUOTA, $(P_V4)ipt_quota)) $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_QUOTA, $(P_XT)xt_quota)) #$(eval $(call nf_add,IPT_EXTRA,CONFIG_IP_NF_TARGET_ROUTE, $(P_V4)ipt_ROUTE)) @@ -257,6 +223,7 @@ $(eval $(call nf_add,IPT_NATHELPER,CONFIG_IP_NF_NAT_IRC, $(P_V4)ip_nat_irc)) $(eval $(call nf_add,IPT_NATHELPER,CONFIG_NF_CONNTRACK_IRC, $(P_XT)nf_conntrack_irc)) $(eval $(call nf_add,IPT_NATHELPER,CONFIG_NF_NAT_IRC, $(P_V4)nf_nat_irc)) $(eval $(call nf_add,IPT_NATHELPER,CONFIG_IP_NF_TFTP, $(P_V4)ip_conntrack_tftp)) +$(eval $(call nf_add,IPT_NATHELPER,CONFIG_IP_NF_NAT_TFTP, $(P_V4)ip_nat_tftp)) $(eval $(call nf_add,IPT_NATHELPER,CONFIG_NF_CONNTRACK_TFTP, $(P_XT)nf_conntrack_tftp)) $(eval $(call nf_add,IPT_NATHELPER,CONFIG_NF_NAT_TFTP, $(P_V4)nf_nat_tftp)) @@ -264,6 +231,7 @@ $(eval $(call nf_add,IPT_NATHELPER,CONFIG_NF_NAT_TFTP, $(P_V4)nf_nat_tftp)) # nathelper-extra $(eval $(call nf_add,IPT_NATHELPER_EXTRA,CONFIG_IP_NF_AMANDA, $(P_V4)ip_conntrack_amanda)) +$(eval $(call nf_add,IPT_NATHELPER_EXTRA,CONFIG_IP_NF_NAT_AMANDA, $(P_V4)ip_nat_amanda)) $(eval $(call nf_add,IPT_NATHELPER_EXTRA,CONFIG_NF_CONNTRACK_AMANDA, $(P_XT)nf_conntrack_amanda)) $(eval $(call nf_add,IPT_NATHELPER_EXTRA,CONFIG_NF_NAT_AMANDA, $(P_V4)nf_nat_amanda)) $(eval $(call nf_add,IPT_NATHELPER_EXTRA,CONFIG_IP_NF_CT_PROTO_GRE, $(P_V4)ip_conntrack_proto_gre)) @@ -302,6 +270,42 @@ $(eval $(call nf_add,IPT_QUEUE,CONFIG_IP_NF_QUEUE, $(P_V4)ip_queue)) $(eval $(call nf_add,IPT_ULOG,CONFIG_IP_NF_TARGET_ULOG, $(P_V4)ipt_ULOG)) +# +# ebtables +# + +$(eval $(if $(NF_KMOD),$(call nf_add,EBTABLES,CONFIG_BRIDGE_NF_EBTABLES, $(P_EBT)ebtables),)) + +# ebtables: tables +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_BROUTE, $(P_EBT)ebtable_broute)) +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_T_FILTER, $(P_EBT)ebtable_filter)) +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_T_NAT, $(P_EBT)ebtable_nat)) + +# ebtables: matches +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_802_3, $(P_EBT)ebt_802_3)) +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_AMONG, $(P_EBT)ebt_among)) +$(eval $(call nf_add,EBTABLES_IP4,CONFIG_BRIDGE_EBT_ARP, $(P_EBT)ebt_arp)) +$(eval $(call nf_add,EBTABLES_IP4,CONFIG_BRIDGE_EBT_IP, $(P_EBT)ebt_ip)) +$(eval $(call nf_add,EBTABLES_IP6,CONFIG_BRIDGE_EBT_IP6, $(P_EBT)ebt_ip6)) +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_LIMIT, $(P_EBT)ebt_limit)) +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_MARK, $(P_EBT)ebt_mark_m)) +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_PKTTYPE, $(P_EBT)ebt_pkttype)) +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_STP, $(P_EBT)ebt_stp)) +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_VLAN, $(P_EBT)ebt_vlan)) + +# targets +$(eval $(call nf_add,EBTABLES_IP4,CONFIG_BRIDGE_EBT_ARPREPLY, $(P_EBT)ebt_arpreply)) +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_MARK_T, $(P_EBT)ebt_mark)) +$(eval $(call nf_add,EBTABLES_IP4,CONFIG_BRIDGE_EBT_DNAT, $(P_EBT)ebt_dnat)) +$(eval $(call nf_add,EBTABLES,CONFIG_BRIDGE_EBT_REDIRECT, $(P_EBT)ebt_redirect)) +$(eval $(call nf_add,EBTABLES_IP4,CONFIG_BRIDGE_EBT_SNAT, $(P_EBT)ebt_snat)) + +# watchers +$(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_LOG, $(P_EBT)ebt_log)) +$(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_ULOG, $(P_EBT)ebt_ulog)) +$(eval $(call nf_add,EBTABLES_WATCHERS,CONFIG_BRIDGE_EBT_NFLOG, $(P_EBT)ebt_nflog)) + + # userland only IPT_BUILTIN += $(IPT_CORE-y) $(IPT_CORE-m) IPT_BUILTIN += $(IPT_CONNTRACK-y) diff --git a/package/kernel/modules/netfilter.mk b/package/kernel/modules/netfilter.mk index bf46a72c4..d19a16da3 100644 --- a/package/kernel/modules/netfilter.mk +++ b/package/kernel/modules/netfilter.mk @@ -21,18 +21,13 @@ endef define KernelPackage/ipt-core/description Netfilter core kernel modules Includes: - - ipt_limit - - xt_limit - - ipt_mac - - xt_mac - - ipt_multiport - - xt_multiport - - ipt_comment - - xt_comment - - ipt_LOG - - ipt_TCPMSS - - xt_TCPMSS - - ipt_REJECT + - comment (2.6) + - limit + - LOG + - mac + - multiport + - REJECT + - TCPMSS endef $(eval $(call KernelPackage,ipt-core)) @@ -56,11 +51,10 @@ define KernelPackage/ipt-conntrack/description Netfilter (IPv4) kernel modules for connection tracking Includes: - conntrack - - defrag + - defrag (2.6) - iptables_raw - NOTRACK - state - - xt_NOTRACK endef $(eval $(call KernelPackage,ipt-conntrack)) @@ -98,10 +92,8 @@ endef define KernelPackage/ipt-filter/description Netfilter (IPv4) kernel modules for packet content inspection Includes: - - ipt_layer7 - - ipt_string - - xt_layer7 - - xt_string + - layer7 + - string endef $(eval $(call KernelPackage,ipt-filter)) @@ -118,30 +110,18 @@ endef define KernelPackage/ipt-ipopt/description Netfilter (IPv4) modules for matching/changing IP packet options Includes: - - ipt_dscp - - xt_dscp - - xt_DSCP - - ipt_ecn - - ipt_length - - xt_length - - ipt_mark - - xt_mark - - xt_statistic - - ipt_tcpmss - - xt_tcpmss - - ipt_time - - xt_time - - ipt_unclean - - ipt_CLASSIFY - - xt_CLASSIFY - - ipt_DSCP - - ipt_ECN - - ipt_MARK - - xt_MARK - - xt_tos - - xt_TOS - - xt_hl - - xt_HL + - CLASSIFY + - dscp/DSCP + - ecn/ECN + - hl/HL (2.6.30 and later) + - length + - mark/MARK + - statistic (2.6) + - tcpmss + - time + - tos/TOS (prior to 2.6.25) + - ttl/TTL (prior to 2.6.30) + - unclean endef $(eval $(call KernelPackage,ipt-ipopt)) @@ -158,10 +138,9 @@ endef define KernelPackage/ipt-ipsec/description Netfilter (IPv4) modules for matching IPSec packets Includes: - - ipt_ah - - ipt_esp - - xt_esp - - xt_policy + - ah + - esp + - policy (2.6) endef $(eval $(call KernelPackage,ipt-ipsec)) @@ -195,7 +174,7 @@ endef define KernelPackage/ipt-nat-extra/description Netfilter (IPv4) kernel modules for extra NAT targets Includes: - - MIRROR + - MIRROR (2.4) - NETMAP - REDIRECT endef @@ -214,17 +193,9 @@ endef define KernelPackage/ipt-nathelper/description Default Netfilter (IPv4) Conntrack and NAT helpers Includes: - - ip_conntrack_ftp - - ip_nat_ftp - - nf_conntrack_ftp - - nf_nat_ftp - - ip_conntrack_irc - - ip_nat_irc - - nf_conntrack_irc - - nf_nat_irc - - ip_conntrack_tftp - - nf_conntrack_tftp - - nf_nat_tftp + - ftp + - irc + - tftp endef $(eval $(call KernelPackage,ipt-nathelper)) @@ -241,33 +212,14 @@ endef define KernelPackage/ipt-nathelper-extra/description Extra Netfilter (IPv4) Conntrack and NAT helpers Includes: - - ip_conntrack_amanda - - nf_conntrack_amanda - - nf_nat_amanda - - ip_conntrack_proto_gre - - ip_nat_proto_gre - - nf_conntrack_proto_gre - - nf_nat_proto_gre - - ip_conntrack_h323 - - ip_nat_h323 - - nf_conntrack_h323 - - nf_nat_h323 - - ip_conntrack_mms - - ip_nat_mms - - ip_conntrack_pptp - - ip_nat_pptp - - nf_conntrack_pptp - - nf_nat_pptp - - ip_conntrack_rtsp - - ip_nat_rtsp - - nf_conntrack_rtsp - - nf_nat_rtsp - - ip_conntrack_sip - - ip_nat_sip - - nf_conntrack_sip - - nf_nat_sip - - ip_nat_snmp_basic - - nf_nat_snmp_basic + - amanda + - h323 + - mms + - pptp (2.6) + - proto_gre (2.6) + - rtsp + - sip (2.6) + - snmp_basic endef $(eval $(call KernelPackage,ipt-nathelper-extra)) @@ -325,7 +277,7 @@ endef define KernelPackage/ipt-ulog/description Netfilter (IPv4) module for user-space packet logging Includes: - - ipt_ULOG + - ULOG endef $(eval $(call KernelPackage,ipt-ulog)) @@ -342,7 +294,7 @@ endef define KernelPackage/ipt-iprange/description Netfilter (IPv4) module for matching ip ranges Includes: - - ipt_IPRANGE + - iprange endef $(eval $(call KernelPackage,ipt-iprange)) @@ -359,12 +311,11 @@ endef define KernelPackage/ipt-extra/description Other Netfilter (IPv4) kernel modules Includes: - - ipt_condition - - ipt_owner - - xt_physdev - - ipt_pkttype - - xt_pkttype - - xt_quota + - condition (2.4 only) + - owner + - physdev (if bridge support was enabled in kernel) + - pkttype + - quota endef $(eval $(call KernelPackage,ipt-extra))